MultiInjector claims to the first configurable automatic website defacement software, I’m not sure if that’s a good thing - or a bad thing.
But well here it is anyway.
Features
The author highly recommend running a HTTP sniffer such as IEInspector HTTP Analyzer in order to see all attack requests going out to the targets.
Requirements
MultiInjector.py
Or read more here.
But well here it is anyway.
Features
- Receives a list of URLs as input
- Recognizes the parameterized URLs from the list
- Fuzzes all URL parameters to concatenate the desired payload once an injection is successful
- Automatic defacement - you decide on the defacement content, be it a hidden script, or just pure old “cyber graffiti” fun
- OS command execution - remote enabling of XP_CMDSHELL on SQL server, subsequently running any arbitrary operating system command lines entered by the user
- Configurable parallel connections exponentially speed up the attack process - one payload, multiple targets, simultaneous attacks
- Optional use of an HTTP proxy to mask the origin of the attacks
The author highly recommend running a HTTP sniffer such as IEInspector HTTP Analyzer in order to see all attack requests going out to the targets.
Requirements
- Python >= 2.4
- Pycurl (compatible with the above version of Python)
- Psyco (compatible with the above version of Python)
MultiInjector.py
Or read more here.
1 comments:
You may download MultiInjector v0.3 at:
http://chaptersinwebsecurity.blogspot.com/2008/11/multiinjector-v03-released.html
New features include:
1) Automatic defacement:
Try to concatenate a string to all user-defined text fields in DB
2) Run OS shell command on DB server:
Run any OS command as if you're running a command console on the DB machine
3) Run SQL query on DB server:
Execute SQL commands of your choice
4) Enable OS shell procedure on DB:
Revive the good old XP_CMDSHELL where it was turned off
(default mode in MSSQL-2005)
5) Add administrative user to DB server with password: T0pSeKret
Automagically join the Administrators family on DB machine
6) Enable remote desktop on DB server:
Turn remote terminal services back on...
It's a more stable and field-tested version.
Hope you enjoy.